Back in March 2014, I contacted ASDA to report several security vulnerabilities and despite a fix promised "in the next few weeks", little appears to have changed.
@Stuho1mez All of our sites are secure, I would advise using Chrome. Thanks, Beth— Asda Service Team (@AsdaServiceTeam) January 14, 2016
After 677 days and several tweets along a similar vein, my patience has finally run out.
What's the problem?
Two of the simplest and most prevalent exploits allow an attacker to quickly & effectively collect personal information & full payment details.
Have I been affected?
As of Q2 2014, ASDA processed upwards of 200,000 online orders each week. Given the length of time this has been exploitable, that equates to over 19 million transactions.
I'm not aware of any evidence suggesting these exploits are being used in the wild, but just a few months after my initial report, this tweet appeared.
@asda some one hacked my acc tomake fraud on line purchases the bank caught it tank god but warn ur customers and i need a number to ring— cathy creighton (@Ruby6918) June 10, 2014
Unfortunately, it's difficult to know if your details have been stolen unless the attacker uses the information very shortly after the breach occurs, such that it's reasonable to assume a link between the two. However, ASDA may be able to shed further light on anyone affected by this, or any other exploit.
How can I protect myself?
The safest way is simply to shop elsewhere.
ASDA/Walmart have had ample opportunity to fix these issues and have failed to do so. If you must continue shopping with ASDA, open a "private" / "incognito" window and do not open any other tabs/windows until you've logged out.
Well, they don't enforce SSL/TLS during login and the entire session is maintained over an insecure protocol.
Another user spotted this too... and tweeted ASDA.
Did they acknowledge the issue & deploy a fix? Not quite.
@cmrowles Morning! We've had it confirmed that the page is secure 😊 Thanks, Beth— Asda Service Team (@AsdaServiceTeam) February 10, 2015
When Sarah tried to apply for a job, she was greeted with this error.
Did they spot their mistake, generate and deploy a new certificate?
@NyowcatS Hi Sarah, I can confirm that all our Asda web pages are secure, Thanks Steph— Asda Service Team (@AsdaServiceTeam) May 26, 2015
No. They go on to recommend Sarah delete her cookies!
Scott tried to apply for a job too.
@asda I'm trying to apply for a job on your site. But anytime I try to access the application part. It tells me the websites in danger— scott paterson (@whosinthebox94) June 15, 2015
Surely now they'll fix it, right?
Nope. Now, it's fully secure.
I invited ASDA to comment on the situation; requesting more detailed information on who customers should contact if they believe they're affected by any security flaws. I received an "out of office" from their "data protection" email address and haven't heard anything since.